Hi, > I didn't see the Message ID as harmful, but I'm more than happy to be > educated on this front. I do see the timezone leakage as a problem.
The Message-ID used by Thunderbird consists of two parts: the Unix timestamp in hexadecimal format (which matches the time in the 'Date' header) and a random number, the former being the reason why the message-ID is considered 'harmful'. tagnaq's paper [0] discusses this and proposes a time independent message-ID for Thunderbird. [0] - https://trac.torproject.org/projects/tor/attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf > had a look through Thunderbird's settings and can't see anything to > indicate that this is stored within the settings so I imagine that this > comes from system. If it's controlled through the environment then it > may be able to be set before running, again maybe through a TBB style > startup. Yes, there is no way to change this using the configuration settings. It is possible to do this by setting the 'TZ' environment variable [1], however that introduces a new problem: Thunderbird then uses UTC as the dates on emails also and this may confuse/ irritate the users. We are currently working on the date and the message-ID issue. [1] - https://www.torproject.org/torbutton/torbutton-faq.html.en#securityissues > My only other immediate concern is how Thunderbird identifies itself to > the SMTP server during the EHLO. Claws mail provides a dialogue to show > what it's doing, and also allows you to specify what it is that is > reported to the other end. I'm not sure what Thunderbird says, but it's > likely that it is the local hostname. This has been taken care of, 'mail.smtpserver.default.hello_argument' is set to '127.0.0.1' to prevent hostname leaks. Thanks for helping us test this out. -- Sukhbir _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
